AFTER MUCH SPECULATION over who provided the FBI with the mysterious solution for hacking into the San Bernardino iPhone, the Washington Post reported this week that it wasa “gray hat” hacker who came forward to save the day for the feds.
According to the Post, the hacker, along with one or more associates, found a zero-day flaw in the iOS 9 software running on the San Bernardino iPhone 5C and sold it to the government for a one-time fee. This allowed the feds to bypass security features on the phone to crack its password.
So, what exactly is a gray hat hacker?
There are three types of hackers: white hats, black hats and gray hats.
White hats are security researchers or hackers who, when they discover a vulnerability in software, notify the vendor so that the hole can be patched. It used to be that white hats were rewarded with just an acknowledgement in the patch release or a T-shirt and other swag from the company they helped. But these days white hats can earn good money—anywhere from $500 tomore than $100,000—by selling information about a vulnerability to companies that have bug bounty programs. White hats are considered the good guys.
Black hats are criminals. They use their prowess to find or develop software holes and attack methods (aka zero day vulnerabilities and exploits) or other malicious tools to break into machines and steal data, such as passwords, email, intellectual property, credit card numbers or bank account credentials. They also sell information about the security holes to other criminals for them to use. Black hats are, obviously, considered the bad guys.
Gray hats fall into the middle ground between these two other hacker categories. Gray hats sell or disclose their zero-day vulnerabilities not to criminals, but to governments—law enforcement agencies, intelligence agencies or militaries. The governments then use those security holes to hack into the systems of adversaries or criminal suspects. Gray hats can be individual hackers or researchers who uncover flaws on their own, defense contractors who have hacking divisions tasked specifically with uncovering flaws for a government to use, or boutique broker firms like Vupen and Zerodium, two French companies who are in the business of finding or brokering the sale of zero-days to law enforcement and intelligence agencies.
All of these kinds of hackers are considered gray hats because they’re selling to parties that will presumably use the vulnerabilities responsibly for the public good, although that is not necessarily the case. There are governments that use zero days to spy on dissidents, political rivals and others. The Italian firm Hacking Team, for example, is known for selling its espionage tools and zero-days to repressive regimes. When it comes to good and bad, like black and white, there’s always a gray area.